Gear up like an attacker.
Defend like a pro.
Courses, tools, and vouchers from the team that hunts bugs for a living — delivered to your inbox before you’ve closed the tab.
Free security tools
Real, working command-line tools we built and use ourselves. Create a free account, download, and run — no strings.
HTTP Security Headers Auditor
Grade any site's security headers in one command - and get the exact fix for every miss. The **HTTP Security Headers Auditor** is a free, single-file command-line tool from Bug Circuit that tells you, in seconds, how well a website is protected by its HTTP response headers - and exactly what to change to improve it. Point it at a site you own or are authorized to test, and it fetches the page like a browser would, follows redirects, and inspects the headers the server returns. There is nothing to install: it is pure Python 3 standard library, so you download one file and run it. It grades the headers that actually stop attacks - Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the Cross-Origin isolation headers - using a weighted model that gives partial credit for headers that are present but weakened (a CSP with `'unsafe-inline'`, a short HSTS `max-age`, a deprecated `ALLOW-FROM`). It also flags information-disclosure headers like `Server` and `X-Powered-By` that hand attackers a fingerprint of your stack. The result is a clean A+-to-F report with per-header PASS/WARN/FAIL status and a remediation block containing the exact header line to add. Built for real workflows: `--json` gives you machine-readable output for dashboards and pipelines, and `--min-grade` returns a non-zero exit code so you can fail a CI build the moment your own site regresses below your bar. It is strictly passive and defensive - one browser-like GET request, no payloads, no exploitation, no evasion - and cross-platform across Windows, macOS, and Linux. Use it on your own assets to keep your header hygiene tight, release after release. ## How to use - Install Python 3.8 or newer (macOS and most Linux distros already have it; Windows users can grab it from python.org). - Download bugcircuit-headers.py - it is a single file with no dependencies to install. - Open a terminal in the folder and run: python3 bugcircuit-headers.py https://your-site.com - Read the letter grade, then work through the Remediation block - each miss shows the exact header line to add. - Add --json to get machine-readable output, or --min-grade B to fail a CI pipeline when your site drops below a B. - Re-run after deploying your header changes to confirm the grade improved. ## Example commands ```bash python3 bugcircuit-headers.py https://example.com python3 bugcircuit-headers.py example.com --no-color python3 bugcircuit-headers.py --json https://example.com > report.json python3 bugcircuit-headers.py --min-grade B https://staging.mysite.com python3 bugcircuit-headers.py --insecure https://localhost:8443 python3 bugcircuit-headers.py --timeout 30 --max-redirects 5 https://example.com ``` --- Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
Password Strength & Breach Auditor
Rate your password's real strength offline, then check it against billions of breached passwords without ever sending the password itself. **Password Strength & Breach Auditor** is a free, single-file command-line tool from Bug Circuit that tells you two things every password owner should know: how strong a password really is, and whether it has already leaked in a known data breach. It runs on any machine with Python 3.8+ — no installation, no dependencies, no account. Just download one file and run it. The offline analysis goes well beyond a naive "length times character types" score. It combines a conservative entropy estimate with pattern detection tuned to how attackers actually guess: keyboard walks (qwerty, asdf, and AZERTY/QWERTZ layouts), ascending and descending sequences, repeated blocks, embedded dates and years, and common dictionary words — including leetspeak disguises like "P@ssw0rd". Each weakness reduces the effective score, yielding a clear rating from *very weak* to *very strong* and a rough offline crack-time estimate you can actually act on. The optional breach check is where privacy is treated as non-negotiable. Using Have I Been Pwned's k-anonymity range API, your password is SHA-1 hashed locally and only the first five characters of that hash are ever sent over the network; the match is completed on your own machine. The password — and even its full hash — never leaves your computer, responses are padded to avoid leaking the result, and passwords are only ever read from a hidden prompt or stdin, never from the command line or any log file. Cross-platform, colorized when it helps and plain when piped, with sensible exit codes for automation, it is a small tool that does one important job carefully. Use it only on passwords and accounts you own or are authorized to test. ## How to use - Install Python 3.8 or newer (most macOS/Linux systems already have it; on Windows, get it from python.org). - Download bugcircuit-passaudit.py from Bug Circuit and open a terminal in the folder where you saved it. - Run 'python3 bugcircuit-passaudit.py' (use 'python' on Windows) and type your password at the hidden prompt to get an offline strength report. - Add '--check-breach' to also test the password against billions of breached passwords using privacy-preserving k-anonymity. - Read the rating, weaknesses, and (if enabled) breach count; anything rated weak or found in a breach should be replaced. - For scripts or CI, pipe the password with '--stdin' and branch on the exit code (0 = good, 1 = weak or breached). ## Example commands ```bash python3 bugcircuit-passaudit.py python3 bugcircuit-passaudit.py --check-breach printf '%s' "$MY_TEST_PASSWORD" | python3 bugcircuit-passaudit.py --stdin --check-breach python3 bugcircuit-passaudit.py --check-breach --timeout 20 --no-color python3 bugcircuit-passaudit.py --help ``` --- Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
BugCircuit JWT Inspector
Decode any JWT offline, read every claim in plain time, and lint it for the security smells that get tokens forged. **BugCircuit JWT Inspector** turns the opaque `eyJ...` blob in your logs, headers, and config files into something you can actually read and reason about. Paste a token and it decodes the header and payload, pretty-prints every claim, and translates the cryptic `exp`, `iat`, and `nbf` epoch numbers into plain UTC timestamps and human phrases like "expired 3 minutes ago" or "valid for another 14 days." No more copy-pasting production tokens into random websites just to see what's inside. Beyond decoding, it acts as a defensive linter. It flags the exact issues that lead to real-world token forgery and account takeover: `alg=none` unsigned tokens, missing or non-string algorithms, algorithm-confusion risk, missing expiry, expired and not-yet-valid tokens, tokens with dangerously long lifetimes, sensitive data accidentally placed in a payload that is only encoded (not encrypted), and HMAC tokens signed with a well-known placeholder secret like `secret` or `changeme`. Each finding comes with a severity and a short, practical explanation of why it matters and how to fix it. With `--secret` you can verify the HS256/384/512 signature of a token you issued, straight from the command line. The tool is a single Python 3 file with **zero dependencies** — download it and run it. It is cross-platform (Windows, macOS, Linux), colorizes output only on a real terminal, offers a `--json` mode for CI pipelines, and uses meaningful exit codes so you can fail a build when a token carries a serious finding. It is strictly passive, offline, and defensive: it never touches the network, never brute-forces third-party secrets, and the weak-secret check runs against a tiny fixed list purely so you can audit your own careless defaults. A free, brand-quality utility from Bug Circuit. ## How to use - Install Python 3.8 or newer (it is preinstalled on most macOS and Linux systems). - Download bugcircuit-jwt.py — no pip install, no dependencies. - Run: python3 bugcircuit-jwt.py <YOUR_TOKEN> (a leading 'Bearer ' is stripped automatically). - Or pipe it in: echo "$TOKEN" | python3 bugcircuit-jwt.py --stdin, or read a file with --file token.txt. - Read the decoded header, payload, human-readable time claims, and the severity-ranked security findings. - Optionally verify your own token's signature with --secret 'your-key', or emit --json for CI and gate on the exit code. ## Example commands ```bash python3 bugcircuit-jwt.py eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.abc123 echo "$MY_JWT" | python3 bugcircuit-jwt.py --stdin python3 bugcircuit-jwt.py --file token.txt python3 bugcircuit-jwt.py --secret 'my-hs256-signing-key' "$MY_JWT" python3 bugcircuit-jwt.py --json "$MY_JWT" > jwt-report.json ``` --- Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
File Integrity & Hash Toolkit
Fingerprint, snapshot, and verify your files with one dependency-free Python script. **bugcircuit-hash** is a single-file, zero-dependency command-line toolkit for verifying that your files are exactly what you expect them to be. Whether you are shipping a release, guarding a web root against tampering, checking a backup for silent bit-rot, or confirming a download landed intact, it gives you cryptographic proof in one command. It runs on any machine with Python 3.8+ — Windows, macOS, or Linux — with nothing to install: download the file and run it. The toolkit bundles four focused commands. **`hash`** computes MD5, SHA-1, SHA-256, or SHA-512 digests of files or piped input, and its output is compatible with the familiar `sha256sum` checklist format (including a `--check` mode to verify one). **`manifest`** walks an entire directory tree and writes a deterministic, self-checked JSON snapshot recording every file's size and SHA-256. **`verify`** re-hashes that tree later and tells you precisely what was added, changed, or removed — perfect as a CI gate or a scheduled tamper-detection job, since it returns clean exit codes. **`hmac`** adds a secret key to the mix, producing tamper-evident tags that an attacker who only sees your files cannot forge. Built for real-world operations, it streams large files in fixed-size chunks so memory stays flat on multi-gigabyte inputs, uses constant-time digest comparisons, supports glob-based exclusions for `.git`, logs, and caches, and offers `--json` output on every command for scripting. It is strictly passive and defensive — no network access, no scanning of third-party systems, and it never writes outside the paths you name. A free, professional-grade artifact from Bug Circuit, for use on the systems you own or are authorized to test. ## How to use - Install Python 3.8 or newer (macOS and most Linux distros already have it; on Windows grab it from python.org). - Download bugcircuit-hash.py from Bug Circuit and open a terminal in the folder where you saved it. - Hash a file to get its fingerprint: python3 bugcircuit-hash.py hash ./yourfile - Snapshot a whole folder into a manifest: python3 bugcircuit-hash.py manifest ./yourfolder -o folder.manifest.json - Later, detect any tampering or corruption: python3 bugcircuit-hash.py verify folder.manifest.json ./yourfolder - For tamper-evident tags, set BUGCIRCUIT_HMAC_KEY and run: python3 bugcircuit-hash.py hmac ./yourfile - Add --json to any command for machine-readable output, and check the exit code (0 = clean, 1 = differences) to wire it into CI. ## Example commands ```bash python3 bugcircuit-hash.py hash ./release.tar.gz python3 bugcircuit-hash.py hash --algo sha512 installer.exe cat backup.sql | python3 bugcircuit-hash.py hash python3 bugcircuit-hash.py hash *.iso > SHA256SUMS && python3 bugcircuit-hash.py hash --check SHA256SUMS python3 bugcircuit-hash.py manifest /var/www/site --exclude '.git/*' --exclude '*.log' -o site.manifest.json python3 bugcircuit-hash.py verify site.manifest.json /var/www/site --exclude '.git/*' --exclude '*.log' python3 bugcircuit-hash.py --quiet verify site.manifest.json ./dist || exit 1 BUGCIRCUIT_HMAC_KEY='release-secret' python3 bugcircuit-hash.py hmac release.tar.gz ``` --- Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
Log & Data Redactor
Scrub secrets out of your logs before you share them — offline, single-file, zero installs. **Log & Data Redactor** is a free, no-install command-line tool that scrubs sensitive data out of logs and text before you share them. Every developer has pasted a log into a ticket or chat and later realized it contained an API key, a customer email, a JWT, or a full credit-card number. This tool catches those *before* they leave your machine. It runs completely offline as a single Python file — Python 3.8+ standard library only, no dependencies, no network activity whatsoever. Point it at a file or pipe text through it and it detects and masks emails, IPv4/IPv6 addresses, credit-card-like numbers (Luhn-validated to avoid flagging ordinary IDs), JSON Web Tokens, AWS access-key IDs, Bearer/Authorization tokens, PEM private-key blocks, and common `password=`/`api_key:` style secrets. You can add your own detectors with a simple `name=REGEX` patterns file, restrict or exclude categories, and choose between readable `[REDACTED:CATEGORY]` labels or character masking (optionally revealing the last N characters for correlation). Built for real workflows: redact to stdout, to another file, or in place with an automatic `.bak` backup and atomic writes. Output is byte-for-byte faithful — non-matching content, line endings, and whitespace are never altered. A per-category summary prints to stderr (or as JSON with `--json-summary`), and meaningful exit codes let you gate CI pipelines so a build fails if a secret leaks into a log. Cross-platform, clean colorized output that degrades gracefully, and a passive/defensive design make it safe to keep in every engineer's toolbox. A free brand artifact from Bug Circuit. ## How to use - Download bugcircuit-logredact.py — no install or dependencies needed (Python 3.8+ only). - Run it on a file: python3 bugcircuit-logredact.py app.log — the cleaned text prints to stdout, a summary to stderr. - Save a cleaned copy with -o clean.log, or edit the original in place with --in-place (a .bak backup is created automatically). - Pipe through it: cat app.log | python3 bugcircuit-logredact.py - > clean.log for use in scripts and CI. - Tune what gets caught with --only / --exclude, switch to --mode mask, or add custom detectors via --patterns myfile. - Check the exit code: 0 = clean, 1 = redactions made — use --json-summary for machine-readable counts in pipelines. ## Example commands ```bash python3 bugcircuit-logredact.py app.log python3 bugcircuit-logredact.py app.log -o app.clean.log cat app.log | python3 bugcircuit-logredact.py - > app.clean.log python3 bugcircuit-logredact.py app.log --in-place python3 bugcircuit-logredact.py payments.log --mode mask --keep-last 4 python3 bugcircuit-logredact.py app.log --only email,ipv4,jwt python3 bugcircuit-logredact.py app.log --patterns my.patterns --json-summary ``` --- Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
Bug Circuit Secret Scanner
Find leaked API keys, tokens, and private keys in your own code before attackers do. **Bug Circuit Secret Scanner** is a free, single-file command-line tool that hunts through your codebase for accidentally committed secrets — AWS access keys, Google API keys, Slack and GitHub tokens, Stripe/Twilio/SendGrid/OpenAI/npm keys, private-key blocks, JSON Web Tokens, generic `api_key = "..."` assignments, and suspicious high-entropy strings. Every hit is reported as **file:line:column** with a type, a severity, and the secret safely **redacted** so your findings are never themselves a leak. Leaked credentials are one of the most common root causes of real-world breaches — attackers actively scrape repositories for exactly these patterns. This scanner lets you get there first. It is fully **passive and offline**: it reads files on your machine, transmits nothing, and modifies nothing. It automatically skips `.git`, `node_modules`, virtualenvs, build output, and binary files, filters out obvious placeholders like `YOUR_API_KEY_HERE`, and validates JWTs and entropy candidates to keep noise down. Written in pure Python 3 standard library — **no pip install, no dependencies** — it runs the moment you download it on Windows, macOS, and Linux. Get clean human-readable output with severity coloring, or `--json` for CI pipelines and pre-commit hooks (exit code `1` when anything is found). Tune sensitivity with `--entropy-threshold`, scope it with `--exclude` globs and a `.secretscanignore` file, and wire it straight into your build. Defensive tooling, brought to you free by Bug Circuit. ## How to use - Install Python 3.8+ (it is standard-library only — no pip install, no dependencies). - Download bugcircuit-secretscan.py into your project or anywhere on your PATH. - Run `python3 bugcircuit-secretscan.py .` to scan the current directory (use `python` on Windows). - Review findings shown as file:line:column with a type, severity, and a redacted preview. - Add `--json > report.json` for machine-readable output, or `--exclude` / a .secretscanignore file to cut noise. - Wire it into CI or a pre-commit hook: exit code 1 means secrets were found. Rotate anything real immediately. ## Example commands ```bash python3 bugcircuit-secretscan.py . python3 bugcircuit-secretscan.py ./src --json > secrets-report.json python3 bugcircuit-secretscan.py . --entropy-threshold 4.6 --exclude '*.test.js' --exclude docs/ python3 bugcircuit-secretscan.py . --no-entropy --color never python3 bugcircuit-secretscan.py . -q || echo 'Secrets found — failing build' ``` --- Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
Content-Security-Policy Builder & Linter
Audit any Content-Security-Policy for weaknesses, or generate a hardened one from a one-line config - offline, in seconds. **bugcircuit-csp** is a single-file, zero-dependency command-line tool that helps you get your Content-Security-Policy right. A misconfigured CSP is one of the most common web-hardening mistakes: `unsafe-inline` left in, a stray `*` wildcard, `http:` sources that invite tampering, or a missing `base-uri`/`frame-ancestors` that quietly leaves you open to `<base>` hijacking and clickjacking. This tool catches all of that. The `lint` command parses a policy - from a flag, a file, or piped straight out of `curl` - and reports every weakness with a severity (CRITICAL down to INFO), a plain-English explanation of *why* it matters, and a concrete fix. The `build` command goes the other way: give it a friendly config like `script=self,cdn.example.com` and it emits a hardened policy with a sensible locked-down baseline (`object-src 'none'`, `base-uri 'none'`, `frame-ancestors 'none'`, `form-action 'self'`), a matching Report-Only variant for safe rollout, and nonce placeholders with guidance on wiring them up per response. Add `--json` to either command to drop it straight into CI. It runs anywhere Python 3.8+ runs - Windows, macOS, Linux - with nothing to install and no network calls whatsoever. Everything happens locally on policy text you provide. It is strictly an auditing and authoring aid for your own sites: no scanning, no exploitation, no traffic. Download it, run it, ship a tighter header. Brought to you free by Bug Circuit. ## How to use - Confirm Python 3.8+ is installed: run `python3 --version` (use `python` on Windows). - Download `bugcircuit-csp.py` - no pip install, no dependencies, it runs as-is. - Audit an existing policy: `python3 bugcircuit-csp.py lint --policy "<your CSP>"` or pipe one in from curl. - Read the findings: each is tagged with a severity, the offending directive, why it is risky, and how to fix it. - Generate a hardened header: `python3 bugcircuit-csp.py build --set script=self,cdn.example.com --set style=self`. - Roll out safely by deploying the Report-Only variant first, then switch to the enforcing header once reports are clean. Add `--json` for CI pipelines. ## Example commands ```bash python3 bugcircuit-csp.py lint --policy "default-src 'self'; script-src 'unsafe-inline' *" python3 bugcircuit-csp.py lint --file mysite-csp.txt --json curl -sI https://your-site.example | grep -i content-security-policy | python3 bugcircuit-csp.py lint python3 bugcircuit-csp.py build --set script=self,cdn.example.com --set style=self --set img=self,data: python3 bugcircuit-csp.py build --config csp.conf --output headers.txt python3 bugcircuit-csp.py lint --file report-only.txt --report-only ``` --- Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
DNS & Email Security Posture Checker
Grade any domain's SPF, DKIM, DMARC, CAA and MX in seconds — free, passive, zero-install. The Bug Circuit DNS & Email Security Posture Checker is a free, single-file command-line tool that tells you — in one command — how well a domain is protected against email spoofing and certificate abuse. Point it at a domain and it queries the live public DNS over DNS-over-HTTPS, inspects the records that matter for deliverability and anti-spoofing (A/AAAA, MX, SPF, DMARC, DKIM and CAA), and prints a clean, graded A-to-F report with the exact records you should publish to fix each gap. It is deliberately passive and read-only. The tool makes the same ordinary DNS lookups any mail server makes to deliver a message — no host scanning, no port probing, no exploitation, no attack automation. That makes it safe to run against domains you own or are authorised to assess, and easy to drop into a CI pipeline or a periodic health check. Findings are prioritised (failures first, then warnings and informational notes), each with a plain-English explanation and a copy-pasteable fix, so non-specialists and seasoned admins alike can act on the results immediately. Because it is pure Python 3 standard library — no pip installs, no external packages — it runs anywhere Python does on Windows, macOS and Linux. Output is colourised in your terminal and degrades gracefully to plain text for files and pipelines. A `--json` mode emits a structured report for dashboards and automation, `--selectors` lets you probe custom DKIM selectors, and meaningful exit codes let you gate builds on posture. It's a small, sharp, brand-quality utility from Bug Circuit that turns a fiddly manual DNS review into a five-second check. ## How to use - Install Python 3.8 or newer (it ships on most macOS/Linux systems; on Windows grab it from python.org). No other dependencies are needed. - Download bugcircuit-dnsposture.py from Bug Circuit and open a terminal in the folder where you saved it. - Run a check: `python bugcircuit-dnsposture.py yourdomain.com` (use `python3` on macOS/Linux). - Read the graded report — failures are listed first, each with a copy-pasteable DNS record to fix it. - Publish the suggested SPF/DKIM/DMARC/CAA records at your DNS provider, then re-run to confirm the grade improves. - For automation, add `--json -o report.json`, or probe a custom DKIM selector with `--selectors yoursel`. ## Example commands ```bash python bugcircuit-dnsposture.py example.com python bugcircuit-dnsposture.py example.com example.org example.net python bugcircuit-dnsposture.py example.com --selectors s1024,mysel python bugcircuit-dnsposture.py --resolver google --json -o report.json example.com python bugcircuit-dnsposture.py --help ``` --- Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
security.txt & Disclosure Kit Generator
Generate a standards-perfect security.txt, robots.txt, and disclosure policy in one command — free, no dependencies. **security.txt & Disclosure Kit Generator** builds the paperwork that lets security researchers report vulnerabilities to you the right way. In one command it produces an [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116)-compliant `/.well-known/security.txt`, a matching legacy root copy, a sensible `robots.txt` that keeps your `security.txt` reachable, and a ready-to-edit **Vulnerability Disclosure Policy** — complete with scope, safe-harbor language, and response-time commitments. It is deliberately **passive and offline**. The tool makes no network connections, runs no scans, and collects no data — it simply writes correctly-formatted text files describing how to reach *your* organization. Every value is validated before anything is written: contacts must be real emails or secure (`https://` / `mailto:` / `tel:`) URIs, the `Expires` date must be in the future, and language tags and policy URLs are checked for you. Bad input produces a clear message and a clean exit code instead of a stack trace, so it drops straight into CI or a Makefile. Distributed by **Bug Circuit** as a single Python 3.8+ file with **zero dependencies** — download it and run. Works on Windows, macOS, and Linux, with a clean colorized (TTY-aware) banner, a fully interactive mode for first-timers, and flag-driven, non-interactive operation for automation. Use it only for domains and brands you own or are authorized to represent, and have your legal counsel review the generated policy before publishing. ## How to use - Install Python 3.8 or newer (standard library only — nothing else to install). - Run `python3 bugcircuit-securitytxt.py` with no arguments to be walked through every field interactively, or pass flags for a one-liner. - Provide at least one contact with `--contact` (email or https URL) and optionally `--policy-url`, `--canonical`, `--encryption`, and `--expires`. - Choose where files land with `--out ./public` (the directory is created if needed); add `--force` to overwrite an existing kit. - Upload the generated `.well-known/security.txt` to your web root and serve it over HTTPS, then confirm it at `https://your-domain/.well-known/security.txt`. - Edit `VULNERABILITY-DISCLOSURE-POLICY.md` to match your real commitments, have legal review it, and set a reminder to refresh the file before its Expires date. ## Example commands ```bash python3 bugcircuit-securitytxt.py python3 bugcircuit-securitytxt.py --contact [email protected] --canonical https://example.com --expires +1y --out ./public python3 bugcircuit-securitytxt.py -c [email protected] -c https://example.com/report --encryption https://example.com/pgp-key.txt --policy-url https://example.com/security-policy --preferred-languages "en, fr" --out ./site --force python3 bugcircuit-securitytxt.py -c [email protected] --no-robots --no-vdp --print python3 bugcircuit-securitytxt.py -c [email protected] --expires 2026-12-31 -o ./out -n -f ``` --- Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
Bug Circuit TLS Check
Check any host's TLS certificate, expiry, and protocol version in one passive handshake — free, single-file, zero dependencies. **Bug Circuit TLS Check** is a free, single-file command-line tool that inspects the TLS/SSL certificate and protocol posture of any host you own or are authorized to test. Point it at `host` (or `host:port`) and it performs one passive handshake, then reports the subject and issuer, the full validity window and — most usefully — the exact **days until expiry**, the Subject Alternative Names, the public-key type and size (RSA 2048-bit, EC P-256, Ed25519…), the signature algorithm, and the negotiated TLS protocol and cipher. It flags hostname mismatches, self-signed and untrusted chains, expired or not-yet-valid certificates, and servers stuck on legacy TLS below 1.2. It's built to fit real operations, not just a one-off look. `--warn-days` turns "expiring soon" into a non-zero exit code so a nightly cron job stays quiet until a certificate actually needs renewing. `--json` emits clean, structured output for dashboards and pipelines. `--hosts file.txt` (with comments, blank lines, and stdin support) audits a whole fleet concurrently, preserving input order, and rolls the results into clear aggregate exit codes: `0` healthy, `1` warning, `2` connection error, `3` usage error. Output is colour-coded on a real terminal and degrades gracefully to plain text when piped or when `NO_COLOR` is set — and it's careful about console encodings on Windows. Because it relies only on the Python 3.8+ standard library, there is nothing to install and nothing to trust beyond Python itself: no pip packages, no OpenSSL binary, no telemetry. Under the hood it even parses raw certificate DER on its own so it can still describe untrusted or expired certs that the normal API would hide. The tool is strictly passive and defensive — it completes an ordinary handshake, reads public certificate data, and disconnects. It never attacks, exploits, brute-forces, or evades. Run it only on systems you own or are authorized to test. MIT-licensed, cross-platform, and brought to you free by Bug Circuit. ## How to use - Install Python 3.8 or newer (nothing else to install — the tool uses only the standard library). - Download bugcircuit-tlscheck.py and open a terminal in the same folder. - Run a single check: python3 bugcircuit-tlscheck.py yourdomain.com - Add --warn-days 30 to be warned (exit code 1) when a certificate expires within 30 days. - Audit many hosts at once with --hosts hosts.txt, and add --json to pipe structured results into monitoring. - Only scan hosts you own or are authorized to test — the tool is passive but responsible use is on you. ## Example commands ```bash python3 bugcircuit-tlscheck.py bugcircuit.com python3 bugcircuit-tlscheck.py example.com:8443 --warn-days 30 python3 bugcircuit-tlscheck.py --hosts hosts.txt --json > tls-report.json python3 bugcircuit-tlscheck.py mail.example.com:465 --sni smtp.example.com python3 bugcircuit-tlscheck.py 10.0.0.10:8443 --no-color -t 5 ``` --- Free · MIT licensed · Python 3.8+ · no dependencies · runs on Windows, macOS & Linux. A free tool from Bug Circuit.
Questions, answered
How fast do I get my order?
Instantly. Your items appear on screen the moment payment clears, land in your inbox seconds later, and stay re-openable forever through your private order link.
How do I pay?
Through PayHere secure checkout with your card. You are charged in Sri Lankan rupees in Sri Lanka and US dollars everywhere else — prices are shown in your local currency before you pay.
Do I need an account?
No. Enter your email at checkout and your items are delivered there — no signup, no password, no friction.
What if something goes wrong with my order?
Real humans have your back. Email [email protected] and we make it right — the same team that handles our security audits handles the store.